GhostPoster Browser Extensions Found Malicious, Installed 840,000 Times
Recent reports have unveiled a series of 17 dangerous browser extensions linked to the GhostPoster campaign. These extensions have been identified across major browsers, including Chrome, Firefox, and Edge, accumulating approximately 840,000 installations in total. The GhostPoster campaign was initially reported by Koi Security researchers back in December.
Malicious Functionality of GhostPoster Extensions
The identified extensions were found to contain malicious JavaScript code hidden within their logo images. This code performs various nefarious activities, such as:
- Monitoring browser activity
- Injecting a backdoor into the browser
- Tracking online behavior
- Hijacking affiliate links on e-commerce websites
- Injecting invisible iframes for ad and click fraud
Details on the 17 Malicious Extensions
A recent report by LayerX confirmed that the GhostPoster campaign continues to evolve despite its previous exposure. The list of the 17 malicious extensions includes:
| Extension Name | Installations |
|---|---|
| Google Translate in Right Click | 522,398 |
| Translate Selected Text with Google | 159,645 |
| Ads Block Ultimate | 48,078 |
| Floating Player – PiP Mode | 40,824 |
| Convert Everything | 17,171 |
| YouTube Download | 11,458 |
| One Key Translate | 10,785 |
| AdBlocker | 10,155 |
| Save Image to Pinterest on Right Click | 6,517 |
| Instagram Downloader | 3,807 |
| RSS Feed | 2,781 |
| Cool Cursor | 2,254 |
| Full Page Screenshot | 2,000 |
| Amazon Price History | 1,197 |
| Color Enhancer | 712 |
| Translate Selected Text with Right Click | 283 |
| Page Screenshot Clipper | 86 |
Campaign Origin and Continued Threat
The GhostPoster campaign appears to have started on Microsoft Edge before expanding into Firefox and Chrome. LayerX’s findings indicate some of these extensions have been available in browser stores since 2020, which shows the campaign’s long-term success.
Technological Evolution
Researchers from LayerX noted that the malicious tactics have evolved, particularly with the ‘Instagram Downloader’ extension. This variant moves the harmful code into the extension’s background script. It also utilizes a bundled image file to hide the payload, enhancing the strategy’s complexity.
The background script identifies specific data within the image file, stores it, and ultimately decodes it to execute malicious JavaScript. This method indicates a shift toward longer dormancy and greater resilience against detection.
Current Status and User Safety
While the newly identified extensions have been removed from Mozilla’s and Microsoft’s add-on stores, users who installed them might remain vulnerable. BleepingComputer reached out to Google, confirming that all related extensions have been eliminated from the Chrome Web Store. Users should take precautions and regularly monitor their installed extensions to safeguard their online security.
